Topics In Information Security

1
Topics In Information Security

• Instant Ciphertext-Only Cryptanalysis of GSM
  Encrypted Communication

Elad Barkan Eli Biham Nathan Keller
Presented by Idan Sheetrit idanshee_at_post.tau.ac.i
l
2
Introduction

• GSM is the most widely used cellular system in
  the world (over a billion customers).
• Based on second generation cellular technology
  (offer digitalized voice).
• GSM was the first cellular system which seriously
  considered security threats.
• GSM was influenced by the political atmosphere
  around cryptology at the 1980s (did not allow
  civilians to use strong cryptography).
• Protect only the air interface.

3
GSM structure
MSC
BSC
ISDN/ PSTN
Modem/ TA
Internet
BSC - Base Station Controller BTS - Base
Transceiver Station MSC - Mobile Switching
Center AuC - Authentication Centre TA - Terminal
Adapter
4
GSM Security
Mobile Station
Radio Link
GSM Operator
SIM
Ki
Ki

• Ki pre-shared secret
• A3,A8 One way functions.
• A5/0 no encryption. A5/1 export restricted.
  A5/2 for export (weaker)

5
Description of A5/2
The key setup of A5/2
6
Description of A5/2 (2)

• First initialize A5/2 with Kc and f.
• Run A5/2 for 99 cycles
• Run A5/2 for 228 cycles and use the output as
  keystream.
• First 114 bits is used as a keystream to encrypt
  the downlink and the second half of 114 bits is
  used for the uplink.

7
Previous work

• A5/1 and A5/2 was reversed engineered
• Several Known-plaintext attacks were published
• The best attack requires only four plaintext data
  frames.

8
Ciphertext-Only Attack on A5/2

• GSM must use error correction to withstand
  reception errors.
• During transmission a message is first subjected
  to an error-correction code, Then encrypted.
• Structured redundancy in the message, Can be used
  for ciphertext-only attack.

9
Ciphertext-Only Attack on A5/2

• Coding and interleaving operations can be modeled
  as a multipication of the message by constant
  matrix.
• P - 184 bit message
• G constant 456x184 matrix over GF(2)
• g constant vector
• M (G P) xor g (divided into 4 data frames)
• G is binary matrix so there are 456-184272
  equations that describe the kernel of the inverse
  transformation.
• H the matrix that describes these 272 equations
  i.e. H(M xor g) 0

10
Ciphertext-Only Attack on A5/2

• C M xor k (k is the keystream)
• H(C xor g) H(M xor k xor g) H(M xor g)
  xor Hk 0 xor Hk Hk
• C known, so we have linear equations over the
  bits of k.

11
GSM Service Request and Authentication Protocol
Service Req
Ack (Use A5/1)
Authentication Data Request
RAND, XRES, Kc
AUTHREQ(RAND)
SRES XRES?
AUTHREQ(SRES)
Cipher
12
Class-Mark Attack

• An attacker can change the class-mark
  information that the phone sends to the network.

Network
Service Req (A5/1)
Service Req (A5/2)
Use A5/2

• The signal of the attacker must override the
  phone signal or by man-in-the-middle attack.

13
Recovering Kc of Past or Future Conversations

• The protocol doesnt provide any key separation
  (all encryption algorithms use the same key)
• An attacker can use a fake base station and
  instruct the phone to use A5/2 and then easily
  resolve Kc (Future Conversation Attack).

• If an attacker recorded the conversation he can
  sends the recorded RAND to the phone.

RAND

• If the attacker has access to the sim he can
  easily get Kc.

RES

• If he doesnt he can instruct the phone to use
  A5/2.

Use A5/2
Cipher (A5/2)
14
Man in the middle attack
RAND
RAND
RES
CIPHMODCMDA5/2
CIPHMODCMD (Encrypted)
RES
CIPHMODCMDA5/1
CIPHMODCMD (Encrypted)
15
Attacks Scenarios

• Call Wire-Tapping
• Call Hijacking
• Alerting of Data Messages (SMS)
• Call Theft Dynamic Cloning

16
Protocol Weakness

• Authentication protocol can execute at the
  beginning of the call. The phone cannot ask for
  authentication. In case that there is no
  authentication Kc stays as in previous
  conversation

• The network chooses the encryption algorithm (the
  phone only reports the ciphers it support)

• The class-mark message is not protected.

• There is no mechanism that authenticates the
  network to the phone

• No key separation between the algorithms or
  method of communication

• RAND reuse is allowed

17
Acquire a Specific Victim

• GSM includes a mechanism that is intended to
  provide protection on the identity of the mobile
  phone.
• Each subscriber is allocated a Temporary Mobile
  Subscriber Identity (TMSI) over an encrypted link
• The TMSI can be reallocated every once in a while
  in particular when there is a change in the
  location.
• TMSI used to page on incoming calls and for
  identification during un-encrypted parts.
• The fixed identification of the subscriber is its
  International Mobile Subscriber Identity (IMSI)
• If both TMSI and IMSI are unknown to the attacker
  he may forced to listen in to all the
  conversations in the area.

18
Acquire a Specific Victim (2)

• The attacker has the victim's phone number and
  wish to associate it with the subscriber's IMSI
  or TMSI.
• Solutions
• Can call the victim, and monitor all the calls
  (recognize his own caller ID).
• Send a malformed SMS message.
• When performing an active attack, the attacker
  needs to lure the mobile into his own fake base
  station.

19
GSM-Security

• Cryptographic methods secret, not well examined
• Symmetric procedure
• consequence storage of user special secret keys
  with net operators required
• No end-to-end encryption
• Key generation and administration not controlled
  by the participants
• Same key uses for A5/1 and A5/2.
• No mutual authentication intended
• consequence Attacker can pretend a GSM-Net
• No end-to-end authentication
• As a result of the initial publication of this
  paper GSM security group are working to remove
  A5/2 from the handsets.

20
Thank you
21
Homework

• Define in one line the following GSM, UMTS,
  DECT, TETRA, ERMES.
• Why using a SIM helps security?
• How would you attack someones GSM mobile phone?
  describe the system and the steps on the attack.
• Describe at least 3 known weaknesses of GSM and
  how you can fix them if you could change the
  standard or the system.
• Bonus Describe a new attack (which isn't
  mentioned in the paper) on GSM network.

E-Mail idanshee_at_post.tau.ac.il
22
GSM structure
Fixed network
Switching Subsystems
Radio Subsystems
OMC
Data networks
VLR
HLR
AuC
EIR
(G)MSC
BTS
BSC
PSTN/ ISDN
BTS
BSS
MS
MS Mobile Station (G)MSC (Gateway) Mobile
Switching Centre OMC Operation and Maintenance
Centre PSTN Public Switched Telephone
Network VLR Visitor Location Register ISDN Integra
ted Services Digital Network
AuC Authentication Centre BSS Base Station
Subsystem BSC Base Station Controller BTS Base
Transceiver Station EIR Equipment Identity
Register HLR Home Location Register
23
GSM protocols, incoming call
(4)
(3)
VLR
HLR
BSS
(8)
(6)
(7)
(4)
(2)
(10)
(11)
(8)
(8)
(5)
(1)
(9)
(9)
MSC
GMSC
BSS
BSS
(12)
(12)
(8)
BSS
(1) Call from fixed network was switched via GMSC
(2) GMSC finds out HLR from phone number and
transmits need of conversation (3) HLR checks
whether participant for a corresponding service
is authorized and asks for MSRN at the
responsible VLR (4) MSRN will be returned to
GMSC, can now contact responsible MSC
24
GSM protocols, incoming call
(4)
(3)
VLR
HLR
BSS
(8)
(6)
(7)
(4)
(2)
(10)
(11)
(8)
(8)
(5)
(1)
(9)
(9)
MSC
GMSC
BSS
BSS
(12)
(12)
(8)
BSS
(5) GMSC transmits call to current MSC (6) ask
for the state of the mobile station (7)
Information whether end terminal is active (8)
Call to all cells of the Location Area (LA) (9)
Answer from end terminal (10 - 12) security check
and connection construction
25
GSM protocols, outgoing call
(1) Demand on connection (2) Transfer by
BSS (3-4) Control for authorization (5) Switching
of the call demand to fixed net
26
Protocol